What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-06-13 13:00:00 | CyberheistNews Vol 13 # 24 [Le biais de l'esprit \\] le prétexage dépasse désormais le phishing dans les attaques d'ingénierie sociale CyberheistNews Vol 13 #24 [The Mind\\'s Bias] Pretexting Now Tops Phishing in Social Engineering Attacks (lien direct) |
CyberheistNews Vol 13 #24 | June 13th, 2023
[The Mind\'s Bias] Pretexting Now Tops Phishing in Social Engineering Attacks
The New Verizon DBIR is a treasure trove of data. As we will cover a bit below, Verizon reported that 74% of data breaches Involve the "Human Element," so people are one of the most common factors contributing to successful data breaches. Let\'s drill down a bit more in the social engineering section.
They explained: "Now, who has received an email or a direct message on social media from a friend or family member who desperately needs money? Probably fewer of you. This is social engineering (pretexting specifically) and it takes more skill.
"The most convincing social engineers can get into your head and convince you that someone you love is in danger. They use information they have learned about you and your loved ones to trick you into believing the message is truly from someone you know, and they use this invented scenario to play on your emotions and create a sense of urgency. The DBIR Figure 35 shows that Pretexting is now more prevalent than Phishing in Social Engineering incidents. However, when we look at confirmed breaches, Phishing is still on top."
A social attack known as BEC, or business email compromise, can be quite intricate. In this type of attack, the perpetrator uses existing email communications and information to deceive the recipient into carrying out a seemingly ordinary task, like changing a vendor\'s bank account details. But what makes this attack dangerous is that the new bank account provided belongs to the attacker. As a result, any payments the recipient makes to that account will simply disappear.
BEC Attacks Have Nearly Doubled
It can be difficult to spot these attacks as the attackers do a lot of preparation beforehand. They may create a domain doppelganger that looks almost identical to the real one and modify the signature block to show their own number instead of the legitimate vendor.
Attackers can make many subtle changes to trick their targets, especially if they are receiving many similar legitimate requests. This could be one reason why BEC attacks have nearly doubled across the DBIR entire incident dataset, as shown in Figure 36, and now make up over 50% of incidents in this category.
Financially Motivated External Attackers Double Down on Social Engineering
Timely detection and response is crucial when dealing with social engineering attacks, as well as most other attacks. Figure 38 shows a steady increase in the median cost of BECs since 2018, now averaging around $50,000, emphasizing the significance of quick detection.
However, unlike the times we live in, this section isn\'t all doom and |
Spam Malware Vulnerability Threat Patching | Uber APT 37 ChatGPT ChatGPT APT 43 | ★★ |
 |
2023-06-08 09:30:34 | Le refactoring applicatif Kubernetes, un risque de sécurité à ne pas négliger (lien direct) | Si aucune application ne peut aujourd'hui se prévaloir d'être totalement " ransomware proof ", les organisations qui refactorisent leurs applications pour Kubernetes risquent d'être confrontées à de réels enjeux de sécurité et de performances. | Ransomware | Uber | ★★ |
 |
2023-06-07 15:15:09 | CVE-2023-2878 (lien direct) | Kubernetes Secrets-Store-CSI-Driver dans les versions avant 1.3.3 Divulguent les jetons de compte de service dans les journaux.
Kubernetes secrets-store-csi-driver in versions before 1.3.3 discloses service account tokens in logs. |
Uber | ||
|
2023-06-07 11:15:11 | Arrêtons de procrastiner la mise à jour des systèmes d\'information ! (lien direct) | L’infrastructure d'une entreprise évolue en permanence, d'une architecture centralisée à une architecture distribuée, de l'architecture centralisée aux infrastructures cloud, et du cloud à Kubernetes. Et c'est également le cas du secteur de la sauvegarde qui au cours des deux dernières décennies, a connu des changements majeurs. Pour autant, faire évoluer sa technologie n'est pas qu'un | Cloud | Uber | ★★ |
|
2023-06-05 14:15:09 | CVE-2023-0545 (lien direct) | Le plugin WordPress de l'auberge avant 1.1.5.2 ne désinfecte pas et n'échappe pas à certains de ses paramètres, ce qui pourrait permettre aux utilisateurs de privilèges élevés tels que l'administrateur d'effectuer des attaques de scripts inter-sites stockées même lorsque la capacité non filtrée_html est interdite (par exemple dans la configuration multisite).
The Hostel WordPress plugin before 1.1.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). |
Uber | ||
|
2023-06-01 17:15:10 | CVE-2023-34091 (lien direct) | Kyverno est un moteur politique conçu pour Kubernetes.Dans les versions de Kyverno avant 1.10.0, les ressources qui ont le champ de «Deletiontimestamp» défini peuvent contourner, générer ou muter des politiques existantes, même dans les cas où le champ «ValidationFailureAction» est défini sur `Enforce».Cette situation se produit car les ressources en attente de suppression étaient consciemment exemptées par Kyverno, comme moyen de réduire la charge de traitement, car les politiques ne sont généralement pas appliquées aux objets qui sont supprimés.Cependant, cela pourrait potentiellement permettre à un utilisateur malveillant de tirer parti de la fonctionnalité Finalizers de Kubernetes en définissant un finalizer qui provoque le serveur API de Kubernetes pour définir le «Deletiontimestamp» et ne pas terminer l'opération de suppression pour explicitement pour contourner une politique de Kyverno à explicitement pour contourner une politique de Kyverno en.Notez que cela ne s'applique pas aux pods de Kubernetes, mais, par exemple, une ressource de service Kubernetes peut être manipulée à l'aide d'un finaliseur indéfini pour contourner les politiques.Ceci est résolu dans Kyverno 1.10.0.Il n'y a pas de solution de contournement connue.
Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to `Enforce`. This situation occurs as resources pending deletion were being consciously exempted by Kyverno, as a way to reduce processing load as policies are typically not applied to objects which are being deleted. However, this could potentially result in allowing a malicious user to leverage the Kubernetes finalizers feature by setting a finalizer which causes the Kubernetes API server to set the `deletionTimestamp` and then not completing the delete operation as a way to explicitly to bypass a Kyverno policy. Note that this is not applicable to Kubernetes Pods but, as an example, a Kubernetes Service resource can be manipulated using an indefinite finalizer to bypass policies. This is resolved in Kyverno 1.10.0. There is no known workaround. |
Uber | ||
|
2023-06-01 13:15:10 | CVE-2023-22647 (lien direct) | Une vulnérabilité de gestion des privilèges inappropriée dans SUSE Rancher a permis aux utilisateurs standard de tirer parti de leurs autorisations existantes pour manipuler les secrets de Kubernetes dans le local cluster, entraînant le secret du secret, mais leur niveau de lecture Les autorisations au secret étant préservées.Quand cette opération était suivi par d'autres commandes spécialement conçues, cela pourrait entraîner L'utilisateur a accès à des jetons appartenant à des comptes de service dans le cluster local. Ce problème affecte Rancher: de> = 2,6.0 avant = 2,7.0 avant = 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4. | Vulnerability | Uber | |
|
2023-05-31 13:00:00 | Cyberheistnews Vol 13 # 22 [Eye on Fraud] Un examen plus approfondi de la hausse massive de 72% des attaques de phishing financier CyberheistNews Vol 13 #22 [Eye on Fraud] A Closer Look at the Massive 72% Spike in Financial Phishing Attacks (lien direct) |
CyberheistNews Vol 13 #22 | May 31st, 2023
[Eye on Fraud] A Closer Look at the Massive 72% Spike in Financial Phishing Attacks
With attackers knowing financial fraud-based phishing attacks are best suited for the one industry where the money is, this massive spike in attacks should both surprise you and not surprise you at all.
When you want tires, where do you go? Right – to the tire store. Shoes? Yup – shoe store. The most money you can scam from a single attack? That\'s right – the financial services industry, at least according to cybersecurity vendor Armorblox\'s 2023 Email Security Threat Report.
According to the report, the financial services industry as a target has increased by 72% over 2022 and was the single largest target of financial fraud attacks, representing 49% of all such attacks. When breaking down the specific types of financial fraud, it doesn\'t get any better for the financial industry:
51% of invoice fraud attacks targeted the financial services industry
42% were payroll fraud attacks
63% were payment fraud
To make matters worse, nearly one-quarter (22%) of financial fraud attacks successfully bypassed native email security controls, according to Armorblox. That means one in five email-based attacks made it all the way to the Inbox.
The next layer in your defense should be a user that\'s properly educated using security awareness training to easily identify financial fraud and other phishing-based threats, stopping them before they do actual damage.
Blog post with links:https://blog.knowbe4.com/financial-fraud-phishing
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us Wednesday, June 7, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.
|
Ransomware Malware Hack Tool Threat Conference | Uber ChatGPT ChatGPT Guam | ★★ |
 |
2023-05-30 22:00:00 | Rat Seroxen à vendre SeroXen RAT for sale (lien direct) |
This blog was jointly written with Alejandro Prada and Ofer Caspi.
Executive summary
SeroXen is a new Remote Access Trojan (RAT) that showed up in late 2022 and is becoming more popular in 2023. Advertised as a legitimate tool that gives access to your computers undetected, it is being sold for only $30 for a monthly license or $60 for a lifetime bundle, making it accessible.
Key takeaways:
SeroXen is a fileless RAT, performing well at evading detections on static and dynamic analysis.
The malware combines several open-source projects to improve its capabilities. It is a combination of Quasar RAT, r77-rootkit and the command line NirCmd.
Hundreds of samples have shown up since its creation, being most popular in the gaming community. It is only a matter of time before it is used to target companies instead of individual users.
Analysis
Quasar RAT is a legitimate open-source remote administration tool. It is offered on github page to provide user support or employee monitoring. It has been historically associated with malicious activity performed by threat actors, APT groups (like in this Mandiant report from 2017), or government attacks (in this report by Unit42 in 2017).
It was first released in July 2014 as “xRAT” and renamed to “Quasar” in August 2015. Since then, there have been released updates to the code until v1.4.1 in March 2023, which is the most current version. As an open-source RAT tool with updates 9 years after its creation, it is no surprise that it continues to be a common tool used by itself or combined with other payloads by threat actors up to this day.
In a review of the most recent samples, a new Quasar variant was observed by Alien Labs in the wild: SeroXen. This new RAT is a modified branch of the open-source version, adding some modifications features to the original RAT. They’re selling it for monthly or lifetime fee. Figure 1 contains some of the features advertised on their website.
Figure 1. SeroXen features announced on its website.
This new RAT first showed up on a Twitter account, established in September 2022. The person advertising the RAT appeared to be an English-speaking teenager. The same Twitter handle published a review of the RAT on YouTube. The video approached the review from an attacking/Red Team point of view, encouraging people to buy the tool because it is worth the money. They were claiming to be a reseller of the tool.
In December 2022, a specific domain was registered to market/sell the tool, seroxen[.]com. The RAT was distributed via a monthly license for $30 USD or a lifetime license of $60 USD. It was around that time that the malware was first observed in the wild, appearing with 0 detections on VirusTotal.
After a few months, on the 1st of February, the YouTuber CyberSec Zaado published a video alerting the community about the capabilities of the RAT from a defensive perspective. In late February, the RAT was advertised on social media platforms such as TikTok, Twitter, YouTube, and several cracking forums, including hackforums. There were some conversations on gaming forums complaining about being infected by malware after downloading some video games. The artifacts described by the users matched with SeroXen RAT.
The threat actor updated the domain name to seroxen[.]net by the end of March. This domain name was registered on March 27th |
Malware Tool Threat | Uber APT 10 | ★★ |
|
2023-05-30 11:15:09 | CVE-2023-33234 (lien direct) | Exécution de code arbitraire dans Apache Airflow CNCF Kubernetes Provider version 5.0.0 permet à l'utilisateur de modifier l'image et les ressources de Sidecar XCOM via la connexion Airflow.
Afin d'exploiter cette faiblesse, un utilisateur aurait déjà besoin d'autorisations élevées (op ou admin) pour modifier l'objet de connexion de cette manière. & Acirc; & nbsp;Les opérateurs doivent passer à la version 7.0.0 du fournisseur qui a supprimé la vulnérabilité.
Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability. |
Uber | ||
|
2023-05-30 07:15:09 | CVE-2023-33191 (lien direct) | Kyverno est un moteur politique conçu pour Kubernetes.Le contrôle de Kyverno SecComp peut être contourné.Les utilisateurs de la sous-rulule PodSecurity `Valider.Podsecurity 'dans Kyverno 1.9.2 et 1.9.3 sont vulnérables.Ce problème a été corrigé dans la version 1.9.4.
Kyverno is a policy engine designed for Kubernetes. Kyverno seccomp control can be circumvented. Users of the podSecurity `validate.podSecurity` subrule in Kyverno 1.9.2 and 1.9.3 are vulnerable. This issue was patched in version 1.9.4. |
Uber | ||
|
2023-05-29 15:37:43 | Microsoft Azure Linux sort de l\'ombre (lien direct) | La distribution Microsoft Azure Linux pour Azure Kubernetes Service (AKS) est désormais disponible pour tous les développeurs de l'écosystème. | Uber | ★★ | |
 |
2023-05-25 13:00:00 | Ciso Criminalisation, Vague Cyber Ruse Rules Créez une angoisse pour les équipes de sécurité CISO Criminalization, Vague Cyber Disclosure Rules Create Angst for Security Teams (lien direct) |
À la suite du verdict de Ciso ex-Uber, les CISO demandent des règles plus claires et moins d'incertitude dans la gestion des divulgations, au milieu des craintes de prison.
in the wake of the ex-Uber CISO verdict, CISOs ask for clearer rules and less uncertainty in managing disclosures, amid jail-time fears. |
Uber | ★★ | |
|
2023-05-22 15:15:09 | CVE-2023-25448 (lien direct) | Cross-Site Request Forgery (CSRF) vulnerability in Eric Teubert Archivist – Custom Archive Templates plugin | Vulnerability | Uber | |
 |
2023-05-18 07:30:00 | Rejoignez l\'élite DevOps avec la formation Kubernetes d\'Ambient IT (lien direct) | — Article en partenariat avec Ambient IT — Aujourd\'hui, j\'aimerais vous parler d\'une techno DevOps que tout le monde adore : Kubernetes. Notamment au travers de la formation d\'Ambient IT, qui, en plus d\'être membre de la Linux Foundation, est également partenaire officiel du programme KTP (Kubernetes Training Partner). Pour rappel, … Suite
— Article en partenariat avec Ambient IT — Aujourd\'hui, j\'aimerais vous parler d\'une techno DevOps que tout le monde adore : Kubernetes. Notamment au travers de la formation d\'Ambient IT, qui, en plus d\'être membre de la Linux Foundation, est également partenaire officiel du programme KTP (Kubernetes Training Partner). Pour rappel, … Suite |
Uber | ★★ | |
 |
2023-05-11 11:00:00 | Le prochain cyber-chef des Marines est coincé dans un empilement de nominations au Sénat The Marines\\' next cyber chief is stuck in a pileup of nominations in the Senate (lien direct) |
Le choix attendu du président Joe Biden pour diriger la branche de lutte contre la guerre numérique des Marines des États-Unis est capturé dans une emprise de plusieurs mois sur les promotions militaires supérieures et les nominations au Sénat dirigées par un législateur républicain.[Maj.Le général Joseph «Jay» Matos] (https://www.linkedin.com/in/jay-matos/) a été exploité pour assumer le commandement de la commande du cyberespace des forces du Marine Corps, selon trois personnes
President Joe Biden\'s expected pick to helm the U.S. Marine Corps\' digital warfighting branch is caught in a monthslong hold on senior military promotions and nominations in the Senate led by a Republican lawmaker. [Maj. Gen. Joseph “Jay” Matos](https://www.linkedin.com/in/jay-matos/) has been tapped to assume command of Marine Corps Forces Cyberspace Command, according to three people |
Uber | ★★ | |
|
2023-05-08 18:15:14 | CVE-2023-30840 (lien direct) | Le fluide est un orchestrateur de données et accélérateur de données distribué natifs de Kubernetes open source pour les applications à forte intensité de données.À partir de la version 0.7.0 et avant la version 0.8.6, si un utilisateur malveillant prend le contrôle d'un nœud Kubernetes exécutant un pod CSI fluidCompte de service CSI pour modifier les spécifications de tous les nœuds du cluster.Cependant, comme ce compte de service n'a pas de permis de «nœud», l'attaquant peut avoir besoin d'utiliser d'autres techniques pour identifier les nœuds vulnérables.
Une fois que l'attaquant identifie et modifie les spécifications du nœud, ils peuvent manipuler des composants privilégiés au niveau du système pour accéder à tous les secrets du cluster ou exécuter des pods sur d'autres nœuds.Cela leur permet d'élever les privilèges au-delà du nœud compromis et d'obtenir potentiellement un accès privilégié complet à l'ensemble du cluster.
Pour exploiter cette vulnérabilité, l'attaquant peut rendre tous les autres nœuds inspices (par exemple, nœud de correctif avec Tainnts) et attendre les composants critiques avec un privilège élevé à apparaître sur le nœud compromis.Cependant, cette attaque nécessite deux conditions préalables: un nœud compromis et l'identification de tous les nœuds vulnérables par d'autres moyens.
La version 0.8.6 contient un correctif pour ce problème.En tant que solution de contournement, supprimez le Daemonset `CSI-NodePlugin-Fluid` dans l'espace de noms` fluide-system` et évitez d'utiliser le mode CSI pour monter des systèmes de fichiers de fusibles.Alternativement, l'utilisation du mode Sidecar pour monter des systèmes de fichiers de fusible est recommandé.
Fluid is an open source Kubernetes-native distributed dataset orchestrator and accelerator for data-intensive applications. Starting in version 0.7.0 and prior to version 0.8.6, if a malicious user gains control of a Kubernetes node running fluid csi pod (controlled by the `csi-nodeplugin-fluid` node-daemonset), they can leverage the fluid-csi service account to modify specs of all the nodes in the cluster. However, since this service account lacks `list node` permissions, the attacker may need to use other techniques to identify vulnerable nodes. Once the attacker identifies and modifies the node specs, they can manipulate system-level-privileged components to access all secrets in the cluster or execute pods on other nodes. This allows them to elevate privileges beyond the compromised node and potentially gain full privileged access to the whole cluster. To exploit this vulnerability, the attacker can make all other nodes unschedulable (for example, patch node with taints) and wait for system-critical components with high privilege to appear on the compromised node. However, this attack requires two prerequisites: a compromised node and identifying all vulnerable nodes through other means. Version 0.8.6 contains a patch for this issue. As a workaround, delete the `csi-nodeplugin-fluid` daemonset in `fluid-system` namespace and avoid using CSI mode to mount FUSE file systems. Alternatively, using sidecar mode to mount FUSE file systems is recommended. |
Uber | ||
|
2023-05-08 00:50:00 | Neuberger: l'initiative de contre-ransomware axée sur \\ 'élargir la tente, \\' avec Jordan, Costa Rica, Columbia Neuberger: Counter Ransomware Initiative focused on \\'expanding the tent,\\' with Jordan, Costa Rica, Columbia joining (lien direct) |
Le gouvernement américain et plusieurs autres pays ont été confrontés à une question clé au cours de la dernière année: les paiements de ransomware devraient-ils être interdits, avec des dérogations sélectionnées disponibles pour des situations spéciales?S'exprimant lors d'un événement du Ransomware Task Force vendredi, la conseillère adjointe de la sécurité nationale de la Maison Blanche Anne Neuberger a déclaré que les interdictions de paiement des ransomwares avaient été un sujet
The U.S. government and several other countries have been grappling with a key question over the last year: Should ransomware payments be banned, with select waivers available for special situations? Speaking at a Ransomware Task Force event on Friday, White House Deputy National Security Adviser Anne Neuberger said ransomware payment bans have been a topic |
Ransomware | Uber | ★★ |
|
2023-05-05 18:53:00 | Le juge épargne l'ancienne peine d'emprisonnement de l'Uber Ciso au cours des accusations de violation de données 2016 Judge Spares Former Uber CISO Jail Time Over 2016 Data Breach Charges (lien direct) |
Dites à d'autres «vous avez une pause» de Ciso \\ », dit le juge en exerçant une peine de probation de trois ans à Joseph Sullivan.
Tell other CISO\'s "you got a break," judge says in handing down a three-year probation sentence to Joseph Sullivan. |
Data Breach | Uber Uber | ★★ |
 |
2023-05-05 15:41:29 | L'ancien chef de la sécurité de l'uber a été condamné à la couverture du piratage Ex-Uber security chief sentenced over covering up hack (lien direct) |
Joseph Sullivan a été condamné pour couvrer une violation de sécurité de 57 millions de comptes d'utilisateurs en 2016.
Joseph Sullivan was convicted over covering up a security breach of 57 million user accounts in 2016. |
Hack | Uber | ★★ |
|
2023-05-05 02:00:00 | L'ancien CSO de l'uber étant condamné à une peine de probation de trois ans, évite la prison après un verdict de culpabilité Ex-Uber CSO given three-year probation sentence, avoids prison after guilty verdict (lien direct) |
L'ancien directeur de la sécurité de l'Uber, Joe Sullivan, a été donné jeudi à trois ans de probation par un juge fédéral américain à la suite d'une condamnation en gros titres l'année dernière pour manipuler une violation de données.Le juge fédéral du district nord de Californie, William Orrick
Former Uber chief security officer Joe Sullivan was given three years probation by a U.S. federal judge on Thursday following a headline-grabbing conviction last year over his handling of a data breach. Federal judge for the Northern District of California William Orrick decided against giving Sullivan any prison time in a tense hearing that involved |
Uber Uber | ★★ | |
 |
2023-05-05 00:35:45 | L'ancien Uber CSO Joe Sullivan évite la peine de prison sur la dissimulation de la violation des données Former Uber CSO Joe Sullivan Avoids Prison Time Over Data Breach Cover-Up (lien direct) |
> L'ancien chef de la sécurité d'Uber, Joe Sullivan, a été condamné à la probation et au service communautaire pour couvrir la violation des données subie par le géant du covoiturage en 2016.
>Former Uber security chief Joe Sullivan was sentenced to probation and community service for covering up the data breach suffered by the ride-sharing giant in 2016. |
Data Breach | Uber Uber | ★★ |
 |
2023-05-04 23:20:14 | Ex-Uber CSO obtient une probation pour couvrir le vol de données sur des millions de personnes Ex-Uber CSO gets probation for covering up theft of data on millions of people (lien direct) |
Exec a mentionné le juge de clémence & # 8211;Et cela a fonctionné Joe Sullivan a gagné \\ 'ne sert pas de temps sérieux derrière les barreaux pour son rôle en couvrant la violation de la sécurité informatique de 2016 d'Uber \\ et en essayant de faire passer un paiement de rançon en tant que Boug Bounty.…
Exec begged judge for leniency – and it worked Joe Sullivan won\'t serve any serious time behind bars for his role in covering up Uber\'s 2016 computer security breach and trying to pass off a ransom payment as a bug bounty.… |
Uber | ★ | |
|
2023-05-04 08:15:22 | CVE-2023-22651 (lien direct) | La vulnérabilité de gestion des privilèges inappropriée dans SUSE Rancher permet une escalade des privilèges.Un échec dans la logique de mise à jour du webhook de l'admission de Rancher \\ peut conduire à
La mauvaise configuration du webhook.Ce composant applique la validation
Règles et vérifications de sécurité avant l'admission des ressources
CLUSTER KUBERNETES.
Le problème affecte uniquement les utilisateurs qui passent de 2.6.x ou 2.7.x à 2.7.2.Les utilisateurs qui ont effectué une nouvelle installation de 2.7.2 (et qui n'ont pas suivi un chemin de mise à niveau) ne sont pas affectés.
Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher\'s admission Webhook may lead to the misconfiguration of the Webhook. This component enforces validation rules and security checks before resources are admitted into the Kubernetes cluster. The issue only affects users that upgrade from 2.6.x or 2.7.x to 2.7.2. Users that did a fresh install of 2.7.2 (and did not follow an upgrade path) are not affected. |
Vulnerability | Uber | |
|
2023-04-27 14:00:00 | Combation de Kubernetes - Le plus récent défi IAM Combating Kubernetes - the Newest IAM Challenge (lien direct) |
Les dirigeants informatiques doivent s'assurer que les grappes de Kubernetes ne deviennent pas une passerelle pour les cybercriminels.
IT leaders need to ensure Kubernetes clusters don\'t become a gateway for cybercriminals. |
Uber | ★★ | |
 |
2023-04-27 11:01:43 | Comment nous avons combattu de mauvaises applications et de mauvais acteurs en 2022 How we fought bad apps and bad actors in 2022 (lien direct) |
Posted by Anu Yamunan and Khawaja Shams (Android Security and Privacy Team), and Mohet Saxena (Compute Trust and Safety)
Keeping Google Play safe for users and developers remains a top priority for Google. Google Play Protect continues to scan billions of installed apps each day across billions of Android devices to keep users safe from threats like malware and unwanted software.
In 2022, we prevented 1.43 million policy-violating apps from being published on Google Play in part due to new and improved security features and policy enhancements - in combination with our continuous investments in machine learning systems and app review processes. We also continued to combat malicious developers and fraud rings, banning 173K bad accounts, and preventing over $2 billion in fraudulent and abusive transactions. We\'ve raised the bar for new developers to join the Play ecosystem with phone, email, and other identity verification methods, which contributed to a reduction in accounts used to publish violative apps. We continued to partner with SDK providers to limit sensitive data access and sharing, enhancing the privacy posture for over one million apps on Google Play.
With strengthened Android platform protections and policies, and developer outreach and education, we prevented about 500K submitted apps from unnecessarily accessing sensitive permissions over the past 3 years.
Developer Support and Collaboration to Help Keep Apps Safe
As the Android ecosystem expands, it\'s critical for us to work closely with the developer community to ensure they have the tools, knowledge, and support to build secure and trustworthy apps that respect user data security and privacy.
In 2022, the App Security Improvements program helped developers fix ~500K security weaknesses affecting ~300K apps with a combined install base of approximately 250B installs. We also launched the Google Play SDK Index to help developers evaluate an SDK\'s reliability and safety and make informed decisions about whether an SDK is right for their business and their users. We will keep working closely with SDK providers to improve app and SDK safety, limit how user data is shared, and improve lines of communication with app developers.
We also recently launched new features and resources to give developers a better policy experience. We\'ve expanded our Helpline pilot to give more developers direct policy phone support. And we piloted the Google Play Developer Community so more developers can discuss policy questions and exchange best practices on how to build |
Malware Prediction | Uber | ★★★★ |
 |
2023-04-27 09:17:46 | La directive NIS2, un levier pour renforcer la cyber-résilience (lien direct) | La directive NIS2, un levier pour renforcer la cyber-résilience par Christophe Auberger, Cybersecurity Evangelist en France - Fortinet, - Points de Vue | Uber | ★★ | |
|
2023-04-26 19:15:09 | CVE-2023-30841 (lien direct) | Baremetal Operator (BMO) est une intégration de provisionnement d'hôte en métal nu pour Kubernetes.Avant la version 0.3.0, l'inspecteur ironique et ironique déployé au sein de l'opérateur BareMemetal à l'aide des fichiers `deploy.sh` inclus, stockez leurs fichiers` .htpasswd` en tant que configmaps au lieu de secrets.Cela fait que le nom d'utilisateur et le mot de passe hachis de texte en clair sont lisibles par quiconque a une lecture à l'échelle du cluster au cluster de gestion, ou un accès au stockage etcd de la cluster de gestion \\.Ce problème est corrigé dans Baremetal-Operator PR # 1241 et est inclus dans la version 0.3.0 de BMO.En tant que solution de contournement, les utilisateurs peuvent modifier les Kustomalisations et redéployer le BMO, ou recréer les configmaps requis en tant que secrets par instructions dans Baremetal-Operator PR # 1241.
Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster\'s Etcd storage. This issue is patched in baremetal-operator PR#1241, and is included in BMO release 0.3.0 onwards. As a workaround, users may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in baremetal-operator PR#1241. |
Uber | ||
|
2023-04-26 08:17:21 | Red Hat Publie Les R & eacute; Sultats de Son Rapport "L'état de la sécurité de Kubernetes en 2023" Red Hat publie les résultats de son rapport " The State of Kubernetes Security in 2023 " (lien direct) |
Red Hat Publie Les R & eacute; Sultats de Son Rapport "L'état de la sécurité de Kubernetes en 2023"
-
Investigations
Red Hat publie les résultats de son rapport " The State of Kubernetes Security in 2023 " - Investigations |
Studies | Uber | ★★★ |
 |
2023-04-25 18:22:00 | Anomali Cyber Watch: Deux attaques de la chaîne d'approvisionnement enchaînées, leurre de communication DNS furtive de chien, Evilextractor exfiltrates sur le serveur FTP Anomali Cyber Watch: Two Supply-Chain Attacks Chained Together, Decoy Dog Stealthy DNS Communication, EvilExtractor Exfiltrates to FTP Server (lien direct) |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cryptomining, Infostealers, Malvertising, North Korea, Phishing, Ransomware, and Supply-chain attacks. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters
(published: April 21, 2023)
A new Monero cryptocurrency-mining campaign is the first recorded case of gaining persistence via Kubernetes (K8s) Role-Based Access Control (RBAC), according to Aquasec researchers. The recorded honeypot attack started with exploiting a misconfigured API server. The attackers preceded by gathering information about the cluster, checking if their cluster was already deployed, and deleting some existing deployments. They used RBAC to gain persistence by creating a new ClusterRole and a new ClusterRole binding. The attackers then created a DaemonSet to use a single API request to target all nodes for deployment. The deployed malicious image from the public registry Docker Hub was named to impersonate a legitimate account and a popular legitimate image. It has been pulled 14,399 times and 60 exposed K8s clusters have been found with signs of exploitation by this campaign.
Analyst Comment: Your company should have protocols in place to ensure that all cluster management and cloud storage systems are properly configured and patched. K8s buckets are too often misconfigured and threat actors realize there is potential for malicious activity. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from highly-active threat groups.
MITRE ATT&CK: [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1496 - Resource Hijacking | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1489 - Service Stop
Tags: Monero, malware-type:Cryptominer, detection:PUA.Linux.XMRMiner, file-type:ELF, abused:Docker Hub, technique:RBAC Buster, technique:Create ClusterRoleBinding, technique:Deploy DaemonSet, target-system:Linux, target:K8s, target:Kubernetes RBAC
3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible
(published: April 20, 2023)
Investigation of the previously-reported 3CX supply chain compromise (March 2023) allowed Mandiant researchers to detect it was a result of prior software supply chain attack using a trojanized installer for X_TRADER, a software package provided by Trading Technologies. The attack involved the publicly-available tool SigFlip decrypting RC4 stream-cipher and starting publicly-available DaveShell shellcode for reflective loading. It led to installation of the custom, modular VeiledSignal backdoor. VeiledSignal additional modules inject the C2 module in a browser process instance, create a Windows named pipe and |
Ransomware Spam Malware Tool Threat Cloud | Uber APT 38 ChatGPT APT 43 | ★★ |
|
2023-04-25 16:45:00 | Le DOJ exhorte les CISO DOJ urges CISOs to continue working with law enforcement ahead of Uber security chief\\'s sentencing (lien direct) |
** San Francisco - ** Le procureur général adjoint Lisa Monaco a exhorté les dirigeants de cybersécurité et de conformité à continuer de travailler avec les organismes d'application de la loi, répondant tacitement aux préoccupations soulevées par les responsables de la cybersécurité après la condamnation de l'ancien chef de la sécurité d'Uber \\.Joe Sullivan, qui était lui-même procureur avant de devenir chef de la cybersécurité d'Uber, sera condamné la semaine prochaine après
**SAN FRANCISCO -** Deputy Attorney General Lisa Monaco urged cybersecurity and compliance leaders to continue working with law enforcement agencies, tacitly responding to concerns raised by cybersecurity officials after the conviction of Uber\'s former security chief. Joe Sullivan, who was himself a prosecutor before becoming Uber\'s head of cybersecurity, will be sentenced next week after |
Uber Uber | ★★ | |
|
2023-04-25 12:15:09 | CVE-2023-25490 (lien direct) | Auth.(Admin +) Vulnérabilité des scripts inter-sites stockés (XSS) dans Eric Teubert Archivist & acirc; & euro; & ldquo;Plugin de modèles d'archives personnalisés | Vulnerability | Uber | |
|
2023-04-24 21:15:09 | CVE-2023-2250 (lien direct) | Une faille a été trouvée dans l'Open Cluster Management (OCM) lorsqu'un utilisateur a accès aux nœuds de travailleur qui possèdent les déploiements de contrôleur de cluster-manager-contrôleur ou de cluster-manager.Un utilisateur malveillant peut en profiter et lier le cluster-ajout à n'importe quel compte de service ou utiliser le compte de service pour répertorier tous les secrets pour toutes les espaces de noms de Kubernetes, conduisant à une escalade de privilège au niveau du cluster.
A flaw was found in the Open Cluster Management (OCM) when a user have access to the worker nodes which has the cluster-manager-registration-controller or cluster-manager deployments. A malicious user can take advantage of this and bind the cluster-admin to any service account or using the service account to list all secrets for all kubernetes namespaces, leading into a cluster-level privilege escalation. |
Uber | ||
|
2023-04-24 16:15:07 | CVE-2023-30622 (lien direct) | Clusternet est un système à usage général pour contrôler les clusters Kubernetes dans différents environnements.Un problème dans CluSternet avant la version 0.15.2 peut être exploité pour conduire à une escalade de privilège au niveau du cluster.Le Clusternet a un déploiement appelé «Cluster-Hub» à l'intérieur de l'espace de noms Kubernetes «Clusternet-System», qui s'exécute sur les nœuds de travail au hasard.Le déploiement a un compte de service appelé `Clusternet-Hub`, qui a un rôle de cluster appelé` clustern: hub` via la liaison du rôle de cluster.Le rôle de cluster `clusternet: hub` a` "*" verbes de "*. *" `Ressources.Ainsi, si un utilisateur malveillant peut accéder au nœud de travailleur qui exécute le Clusternet, il peut tirer parti du compte de service pour effectuer des actions malveillantes aux ressources système critiques.Par exemple, l'utilisateur malveillant peut tirer parti du compte de service pour obtenir tous les secrets dans l'ensemble du cluster, ce qui entraîne une escalade de privilège au niveau du cluster.La version 0.15.2 contient un correctif pour ce problème.
Clusternet is a general-purpose system for controlling Kubernetes clusters across different environments. An issue in clusternet prior to version 0.15.2 can be leveraged to lead to a cluster-level privilege escalation. The clusternet has a deployment called `cluster-hub` inside the `clusternet-system` Kubernetes namespace, which runs on worker nodes randomly. The deployment has a service account called `clusternet-hub`, which has a cluster role called `clusternet:hub` via cluster role binding. The `clusternet:hub` cluster role has `"*" verbs of "*.*"` resources. Thus, if a malicious user can access the worker node which runs the clusternet, they can leverage the service account to do malicious actions to critical system resources. For example, the malicious user can leverage the service account to get ALL secrets in the entire cluster, resulting in cluster-level privilege escalation. Version 0.15.2 contains a fix for this issue. |
Uber | ||
 |
2023-04-21 18:56:00 | Kubernetes RBAC a exploité dans une campagne à grande échelle pour l'exploitation de la crypto-monnaie Kubernetes RBAC Exploited in Large-Scale Campaign for Cryptocurrency Mining (lien direct) |
Une campagne d'attaque à grande échelle découverte dans la nature a exploité le contrôle d'accès basé sur les rôles (K8S) (RBAC) pour créer des délais et exécuter des mineurs de crypto-monnaie.
"Les attaquants ont également déployé des démonssets pour prendre le relais et détourner les ressources des grappes K8S qu'ils attaquent", a déclaré la société de sécurité Cloud Aqua dans un rapport partagé avec le Hacker News.La société israélienne, qui a surnommé l'attaque
A large-scale attack campaign discovered in the wild has been exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) to create backdoors and run cryptocurrency miners. "The attackers also deployed DaemonSets to take over and hijack resources of the K8s clusters they attack," cloud security firm Aqua said in a report shared with The Hacker News. The Israeli company, which dubbed the attack |
Cloud | Uber | ★★ |
|
2023-04-21 17:20:00 | 14 Kubernetes et défis de sécurité cloud et comment les résoudre 14 Kubernetes and Cloud Security Challenges and How to Solve Them (lien direct) |
protéger leurs actifs numériques.
En réponse, les hauts-mèmes, le premier
Recently, Andrew Martin, founder and CEO of ControlPlane, released a report entitled Cloud Native and Kubernetes Security Predictions 2023. These predictions underscore the rapidly evolving landscape of Kubernetes and cloud security, emphasizing the need for organizations to stay informed and adopt comprehensive security solutions to protect their digital assets. In response, Uptycs, the first |
Cloud | Uber | ★★ |
 |
2023-04-21 09:16:54 | Uber face à une nouvelle fuite de données (lien direct) | Uber, l'un des plus grands services de taxi au monde, fait face à une nouvelle controverse sur la fuite des données de ses chauffeurs, et au Canada, la filiale québécoise se fait hacker par une class action !... | Uber Uber | ★★★ | |
|
2023-04-15 23:15:13 | CVE-2018-17450 (lien direct) | Un problème a été découvert dans Gitlab Community and Enterprise Edition avant 11.1.7, 11.2.x avant 11.2.4 et 11.3.x avant le 11.3.1.Il y a la contrefaçon de demande côté serveur (SSRF) via l'intégration Kubernetes, menant (par exemple) à la divulgation d'un jeton de service GCP.
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is Server-Side Request Forgery (SSRF) via the Kubernetes integration, leading (for example) to disclosure of a GCP service token. |
Uber | ||
|
2023-04-13 10:00:00 | Cloud Forensics - Une introduction à l'enquête sur les incidents de sécurité dans AWS, Azure et GCP Cloud forensics - An introduction to investigating security incidents in AWS, Azure and GCP (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. The cloud has revolutionized the way we do business. It has made it possible for us to store and access data from anywhere in the world, and it has also made it possible for us to scale our businesses up or down as needed. However, the cloud also brings with it new challenges. One of the biggest challenges is just keeping track of all of the data that is stored in the cloud. This can make it difficult to identify and respond to security incidents. Another challenge is that the cloud is a complex environment. There are many different services and components that can be used in the cloud, and each of these services and components has different types of data stored in different ways. This can make it difficult to identify and respond to security incidents. Finally, since cloud systems scale up and down much more dynamically than anything we’ve seen in the past, then the data we need to understand the root cause and scope of an incident can disappear in the blink of an eye. In this blog post, we will discuss the challenges of cloud forensics and incident response, and we will also provide some tips on how to address these challenges. How to investigate a compromise of a cloud environment When you are investigating a compromise of a cloud environment, there are a few key steps that you should follow: Identify the scope of the incident: The first step is to identify the scope of the incident. This means determining which resources were affected and how the data was accessed. Collect evidence: The next step is to collect evidence. This includes collecting log files, network traffic, metadata, and configuration files. Analyze the evidence: The next step is to analyze the evidence. This means looking for signs of malicious activity and determining how the data was compromised. Respond to the incident and contain it: The next step is to respond to the incident. This means taking steps to mitigate the damage and prevent future incidents. For example with a compromise of an EC2 system in AWS, that may include turning off the system or updating the firewall to block all network traffic, as well as isolating any associated IAM roles by adding a DenyAll policy. Once the incident is contained, that will give you more time to investigate safely in detail. Document the incident: The final step is to document the incident. This includes creating a report that describes the incident, the steps that were taken to respond to the incident, and the lessons that were learned. What data can you get access to in the cloud? Getting access to the data required to perform an investigation to find the root cause is often harder in the cloud than it is on-prem. That’s as you often find yourself at the mercy of the data the cloud providers have decided to let you access. That said, there are a number of different resources that can be used for cloud forensics, including: AWS EC2: Data you can get includes snapshots of the volumes and memory dumps of the live systems. You can also get cloudtrail logs associated with the instance. AWS EKS: Data you can get includes audit logs and control plane logs in S3. You can also get the docker file system, which is normally a versioned filesystem called overlay2. You can also get the docker logs from containers that have been started and stopped. AWS ECS: You can use ecs execute or kubectl exec to grab files from the filesystem and memory. AWS Lambda: You can get cloud trail logs and previous versions of lambda. Azure Virtual Machines: You can download snapshots of the disks in VHD format. Azure Kubernetes Service: You can use &l | Cloud | Uber | ★★ |
|
2023-04-12 18:15:07 | CVE-2023-30513 (lien direct) | Jenkins Kubernetes Plugin 3909.V1F2C633E8590 et précédemment ne masque pas correctement (c'est-à-dire remplacer par des astérisques) des informations d'identification dans le journal de construction lorsque le mode push pour la journalisation de la tâche durable est activé.
Jenkins Kubernetes Plugin 3909.v1f2c633e8590 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled. |
Uber | ||
|
2023-04-12 06:15:07 | CVE-2023-30512 (lien direct) | Les CuBEFS via 3.2.1 permettent l'escalade de privilège au niveau du cluster Kubernetes.Cela se produit parce que Daemonset a CFS-CSI-Cluster-Role et peut ainsi énumérer tous les secrets, y compris le secret administrateur.
CubeFS through 3.2.1 allows Kubernetes cluster-level privilege escalation. This occurs because DaemonSet has cfs-csi-cluster-role and can thus list all secrets, including the admin secret. |
Uber | ||
 |
2023-04-06 16:00:00 | Données Uber Drivers \\ 'exposées dans les serveurs de violation du cabinet d'avocats \\ Uber Drivers\\' Data Exposed in Breach of Law Firm\\'s Servers (lien direct) |
Genova Burns, basée au New Jersey, a révélé la violation d'un e-mail aux clients
New Jersey-based Genova Burns disclosed the breach in an email to customers |
Uber Uber | ★★ | |
|
2023-04-04 21:50:00 | Le cabinet d'avocats pour Uber perd les données des conducteurs à des pirates dans une autre violation Law Firm for Uber Loses Drivers\\' Data to Hackers in Yet Another Breach (lien direct) |
Uber a donné des données sensibles sur les conducteurs à un cabinet d'avocats représentant l'entreprise dans des actions en justice, mais les données ne semblent pas avoir eu des protections de sécurité adéquates.
Uber gave sensitive data on drivers to a law firm representing the company in legal actions, but the data appears to not have had adequate security protections. |
Uber Uber | ★★★ | |
|
2023-03-22 19:15:12 | CVE-2023-28114 (lien direct) | `Cilium-Cli` est l'interface de ligne de commande pour installer, gérer et dépanner les clusters Kubernetes exécutant le cilium.Avant la version 0.13.2, `Cilium-Cli`, lorsqu'il est utilisé pour configurer les fonctionnalités de maillage du cluster, peut supprimer l'application des autorisations utilisateur sur le magasin` etcd` utilisé pour refléter les informations de cluster locales aux clusters distants.Les utilisateurs qui ont configuré des mailles de cluster à l'aide du graphique de la barre CILIUM ne sont pas affectés par ce problème.En raison d'une spécification de point de montage incorrecte, les paramètres spécifiés par `InitContainer» qui configurent les utilisateurs `etcd` et leurs autorisations sont écrasés lors de l'utilisation de` cilium-Cli` pour configurer un maillage de cluster.Un attaquant qui a déjà eu accès à une clé et un certificat valides pour un cluster «etcd» compromis de cette manière pourrait alors modifier l'état dans ce cluster «etcd».Ce problème est corrigé dans «Cilium-Cli» 0,13,2.En tant que solution de contournement, on peut utiliser des graphiques de barre de Cilium \\ pour créer leur cluster.
`cilium-cli` is the command line interface to install, manage, and troubleshoot Kubernetes clusters running Cilium. Prior to version 0.13.2,`cilium-cli`, when used to configure cluster mesh functionality, can remove the enforcement of user permissions on the `etcd` store used to mirror local cluster information to remote clusters. Users who have set up cluster meshes using the Cilium Helm chart are not affected by this issue. Due to an incorrect mount point specification, the settings specified by the `initContainer` that configures `etcd` users and their permissions are overwritten when using `cilium-cli` to configure a cluster mesh. An attacker who has already gained access to a valid key and certificate for an `etcd` cluster compromised in this manner could then modify state in that `etcd` cluster. This issue is patched in `cilium-cli` 0.13.2. As a workaround, one may use Cilium\'s Helm charts to create their cluster. |
Uber | ||
 |
2023-03-22 13:00:00 | Drift des conteneurs: où l'âge n'est pas juste un nombre [Container Drift: Where Age isn\\'t Just a Number] (lien direct) | Les cadres d'orchestration des conteneurs comme Kubernetes ont provoqué des progrès technologiques indicibles au cours de la dernière décennie.Cependant, ils ont également permis à de nouveaux vecteurs d'attaque pour que les mauvais acteurs puissent tirer parti.Avant de déployer une demande en toute sécurité, vous devez répondre aux questions suivantes: Combien de temps un conteneur doit-il vivre?Le conteneur doit-il écrire des fichiers pendant l'exécution?[& # 8230;]
Container orchestration frameworks like Kubernetes have brought about untold technological advances over the past decade. However, they have also enabled new attack vectors for bad actors to leverage. Before safely deploying an application, you must answer the following questions: How long should a container live? Does the container need to write any files during runtime? […] |
Uber | ★★★ | |
|
2023-03-17 22:15:11 | CVE-2023-27595 (lien direct) | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In version 1.13.0, when Cilium is started, there is a short period when Cilium eBPF programs are not attached to the host. During this period, the host does not implement any of Cilium's featureset. This can cause disruption to newly established connections during this period due to the lack of Load Balancing, or can cause Network Policy bypass due to the lack of Network Policy enforcement during the window. This vulnerability impacts any Cilium-managed endpoints on the node (such as Kubernetes Pods), as well as the host network namespace (including Host Firewall). This vulnerability is fixed in Cilium 1.13.1 or later. Cilium releases 1.12.x, 1.11.x, and earlier are not affected. There are no known workarounds. | Vulnerability | Uber | |
|
2023-03-17 20:15:13 | CVE-2023-27593 (lien direct) | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, an attacker with access to a Cilium agent pod can write to `/opt/cni/bin` due to a `hostPath` mount of that directory in the agent pod. By replacing the CNI binary with their own malicious binary and waiting for the creation of a new pod on the node, the attacker can gain access to the underlying node. The issue has been fixed and the fix is available on versions 1.11.15, 1.12.8, and 1.13.1. Some workarounds are available. Kubernetes RBAC should be used to deny users and service accounts `exec` access to Cilium agent pods. In cases where a user requires `exec` access to Cilium agent pods, but should not have access to the underlying node, no workaround is possible. | Uber | ||
|
2023-03-16 17:15:09 | CVE-2023-28110 (lien direct) | Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, refactoring coco's SSH/SFTP service and Web Terminal service. Prior to version 2.28.8, using illegal tokens to connect to a Kubernetes cluster through Koko can result in the execution of dangerous commands that may disrupt the Koko container environment and affect normal usage. The vulnerability has been fixed in v2.28.8. | Vulnerability | Uber | |
|
2023-03-15 21:15:08 | CVE-2023-26484 (lien direct) | KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59.0 and prior, if a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used to modify all node specs. This can be misused to lure-in system-level-privileged components which can, for instance, read all secrets on the cluster, or can exec into pods on other nodes. This way, a compromised node can be used to elevate privileges beyond the node until potentially having full privileged access to the whole cluster. The simplest way to exploit this, once a user could compromise a specific node, is to set with the virt-handler service account all other nodes to unschedulable and simply wait until system-critical components with high privileges appear on its node. No patches are available as of time of publication. As a workaround, gatekeeper users can add a webhook which will block the `virt-handler` service account to modify the spec of a node. | Uber | ||
|
2023-03-15 15:41:00 | New Cryptojacking Operation Targeting Kubernetes Clusters for Dero Mining (lien direct) | Cybersecurity researchers have discovered the first-ever illicit cryptocurrency mining campaign used to mint Dero since the start of February 2023. "The novel Dero cryptojacking operation concentrates on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet," CrowdStrike said in a new report shared with The | General Information | Uber | ★★★ |
To see everything:
Our RSS (filtrered)
